On 2019-05-29 18:17, Paul Moore wrote: > On Mon, Apr 8, 2019 at 11:41 PM Richard Guy Briggs <rgb@xxxxxxxxxx> wrote: > > > > Audit events could happen in a network namespace outside of a task > > context due to packets received from the net that trigger an auditing > > rule prior to being associated with a running task. The network > > namespace could be in use by multiple containers by association to the > > tasks in that network namespace. We still want a way to attribute > > these events to any potential containers. Keep a list per network > > namespace to track these audit container identifiiers. > > > > Add/increment the audit container identifier on: > > - initial setting of the audit container identifier via /proc > > - clone/fork call that inherits an audit container identifier > > - unshare call that inherits an audit container identifier > > - setns call that inherits an audit container identifier > > Delete/decrement the audit container identifier on: > > - an inherited audit container identifier dropped when child set > > - process exit > > - unshare call that drops a net namespace > > - setns call that drops a net namespace > > > > Please see the github audit kernel issue for contid net support: > > https://github.com/linux-audit/audit-kernel/issues/92 > > Please see the github audit testsuiite issue for the test case: > > https://github.com/linux-audit/audit-testsuite/issues/64 > > Please see the github audit wiki for the feature overview: > > https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID > > Signed-off-by: Richard Guy Briggs <rgb@xxxxxxxxxx> > > Acked-by: Neil Horman <nhorman@xxxxxxxxxxxxx> > > Reviewed-by: Ondrej Mosnacek <omosnace@xxxxxxxxxx> > > --- > > include/linux/audit.h | 19 +++++++++++ > > kernel/audit.c | 88 +++++++++++++++++++++++++++++++++++++++++++++++++-- > > kernel/nsproxy.c | 4 +++ > > 3 files changed, 108 insertions(+), 3 deletions(-) > > ... > > > diff --git a/kernel/audit.c b/kernel/audit.c > > index 6c742da66b32..996213591617 100644 > > --- a/kernel/audit.c > > +++ b/kernel/audit.c > > @@ -376,6 +384,75 @@ static struct sock *audit_get_sk(const struct net *net) > > return aunet->sk; > > } > > > > +void audit_netns_contid_add(struct net *net, u64 contid) > > +{ > > + struct audit_net *aunet; > > + struct list_head *contid_list; > > + struct audit_contid *cont; > > + > > + if (!net) > > + return; > > + if (!audit_contid_valid(contid)) > > + return; > > + aunet = net_generic(net, audit_net_id); > > + if (!aunet) > > + return; > > + contid_list = &aunet->contid_list; > > + spin_lock(&aunet->contid_list_lock); > > + list_for_each_entry_rcu(cont, contid_list, list) > > + if (cont->id == contid) { > > + refcount_inc(&cont->refcount); > > + goto out; > > + } > > + cont = kmalloc(sizeof(struct audit_contid), GFP_ATOMIC); > > + if (cont) { > > + INIT_LIST_HEAD(&cont->list); > > I thought you were going to get rid of this INIT_LIST_HEAD() call? I was intending to, and then Neil weighed in with this opinion: https://www.redhat.com/archives/linux-audit/2019-April/msg00014.html If you feel that isn't important, please remove it. > > + cont->id = contid; > > + refcount_set(&cont->refcount, 1); > > + list_add_rcu(&cont->list, contid_list); > > + } > > +out: > > + spin_unlock(&aunet->contid_list_lock); > > +} > > -- > paul moore > www.paul-moore.com - RGB -- Richard Guy Briggs <rgb@xxxxxxxxxx> Sr. S/W Engineer, Kernel Security, Base Operating Systems Remote, Ottawa, Red Hat Canada IRC: rgb, SunRaycer Voice: +1.647.777.2635, Internal: (81) 32635
